[bug#48000,3/5] gnu: gst-plugins-bad: Fix an overflow when processing video files.

Message ID	e4d2798393c64500047962eeb90f78fd25eb5774.1619291675.git.leo@famulari.name
State	Accepted
Headers	show Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> Subject: [bug#48000] [PATCH 3/5] gnu: gst-plugins-bad: Fix an overflow when processing video files. Resent-From: Leo Famulari <leo@famulari.name> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 24 Apr 2021 19:15:01 +0000 Resent-Message-ID: <handler.48000.B48000.161929169320312@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org From: Leo Famulari <leo@famulari.name> Date: Sat, 24 Apr 2021 15:14:33 -0400 Message-Id: <e4d2798393c64500047962eeb90f78fd25eb5774.1619291675.git.leo@famulari.name> In-Reply-To: <06babf269cf58ba83c67efd7fd905f9d5a6bb5b5.1619291675.git.leo@famulari.name> References: <06babf269cf58ba83c67efd7fd905f9d5a6bb5b5.1619291675.git.leo@famulari.name> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-getmail-retrieved-from-mailbox: Patches
Series	[bug#48000,1/5] gnu: gst-plugins-good: Fix CVE-2021-3497 and CVE-2021-3498. \| expand [bug#48000,1/5] gnu: gst-plugins-good: Fix CVE-2021-3497 and CVE-2021-3498. [bug#48000,2/5] gnu: gst-libav: Fix a stack corruption bug. [bug#48000,3/5] gnu: gst-plugins-bad: Fix an overflow when processing video files. [bug#48000,4/5] gnu: gst-plugins-base: Fix an invalid read when parsing ID3v2 tags. [bug#48000,5/5] gnu: gst-plugins-ugly: Fix some out-of-bounds reads.

Context	Check	Description
cbaines/submitting builds	success
cbaines/comparison	success	View comparision
cbaines/git branch	success	View Git branch
cbaines/applying patch	success	View Laminar job
cbaines/issue	success	View issue

diff --git a/gnu/local.mk b/gnu/local.mk index b3e84be598..94d7daf910 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1170,6 +1170,7 @@ dist_patch_DATA = \ %D%/packages/patches/grub-verifiers-Blocklist-fallout-cleanup.patch \ %D%/packages/patches/gspell-dash-test.patch \ %D%/packages/patches/gst-libav-64channels-stack-corruption.patch \ + %D%/packages/patches/gst-plugins-bad-fix-overflow.patch \ %D%/packages/patches/gst-plugins-good-fix-test.patch \ %D%/packages/patches/gst-plugins-good-CVE-2021-3497.patch \ %D%/packages/patches/gst-plugins-good-CVE-2021-3498.patch \ diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm index 81ac0a2f5f..58a02119c6 100644 --- a/gnu/packages/gstreamer.scm +++ b/gnu/packages/gstreamer.scm @@ -681,6 +681,7 @@ model to base your own plug-in on, here it is.") (method url-fetch) (uri (string-append "https://gstreamer.freedesktop.org/src/" name "/" name "-" version ".tar.xz")) + (patches (search-patches "gst-plugins-bad-fix-overflow.patch")) (sha256 (base32 "06ildd4rl6cynirv3p00d2ddf5is9svj4i7mkahldzhq24pq5mca")))) diff --git a/gnu/packages/patches/gst-plugins-bad-fix-overflow.patch b/gnu/packages/patches/gst-plugins-bad-fix-overflow.patch new file mode 100644 index 0000000000..95ab13db51 --- /dev/null +++ b/gnu/packages/patches/gst-plugins-bad-fix-overflow.patch @@ -0,0 +1,263 @@ +Fix an overflow when calculating something for AVC/HEVC videos: + +https://security-tracker.debian.org/tracker/TEMP-0000000-C6AAE1 + +Patch copied from upstream source repository: + +https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/0cfbf7ad91c7f121192c8ce135769f8eb276c41d +From 0cfbf7ad91c7f121192c8ce135769f8eb276c41d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> +Date: Tue, 23 Mar 2021 19:19:14 +0200 +Subject: [PATCH] h2645parser: Catch overflows in AVC/HEVC NAL unit length + calculations + +Offset and size are stored as 32 bit guint and might overflow when +adding the nal_length_size, so let's avoid that. + +For the size this would happen if the AVC/HEVC NAL unit size happens to +be stored in 4 bytes and is 4294967292 or higher, which is likely +corrupted data anyway. + +For the offset this is something for the caller of these functions to +take care of but is unlikely to happen as it would require parsing on a +>4GB buffer. + +Allowing these overflows causes all kinds of follow-up bugs in the +h2645parse elements, ranging from infinite loops and memory leaks to +potential memory corruptions. + +Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/2107> +--- + gst-libs/gst/codecparsers/gsth264parser.c | 16 +++++- + gst-libs/gst/codecparsers/gsth265parser.c | 16 +++++- + tests/check/libs/h264parser.c | 60 +++++++++++++++++++++++ + tests/check/libs/h265parser.c | 60 +++++++++++++++++++++++ + 4 files changed, 150 insertions(+), 2 deletions(-) + +diff --git a/gst-libs/gst/codecparsers/gsth264parser.c b/gst-libs/gst/codecparsers/gsth264parser.c +index 012f1d0d7..68aa25068 100644 +--- a/gst-libs/gst/codecparsers/gsth264parser.c ++++ b/gst-libs/gst/codecparsers/gsth264parser.c +@@ -1556,6 +1556,14 @@ gst_h264_parser_identify_nalu_avc (GstH264NalParser * nalparser, + + memset (nalu, 0, sizeof (*nalu)); + ++ /* Would overflow guint below otherwise: the callers needs to ensure that ++ * this never happens */ ++ if (offset > G_MAXUINT32 - nal_length_size) { ++ GST_WARNING ("offset + nal_length_size overflow"); ++ nalu->size = 0; ++ return GST_H264_PARSER_BROKEN_DATA; ++ } ++ + if (size < offset + nal_length_size) { + GST_DEBUG ("Can't parse, buffer has too small size %" G_GSIZE_FORMAT + ", offset %u", size, offset); +@@ -1570,7 +1578,13 @@ gst_h264_parser_identify_nalu_avc (GstH264NalParser * nalparser, + nalu->sc_offset = offset; + nalu->offset = offset + nal_length_size; + +- if (size < nalu->size + nal_length_size) { ++ if (nalu->size > G_MAXUINT32 - nal_length_size) { ++ GST_WARNING ("NALU size + nal_length_size overflow"); ++ nalu->size = 0; ++ return GST_H264_PARSER_BROKEN_DATA; ++ } ++ ++ if (size < (gsize) nalu->size + nal_length_size) { + nalu->size = 0; + + return GST_H264_PARSER_NO_NAL_END; +diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c +index 26e68b276..dc7f27aa9 100644 +--- a/gst-libs/gst/codecparsers/gsth265parser.c ++++ b/gst-libs/gst/codecparsers/gsth265parser.c +@@ -1531,6 +1531,14 @@ gst_h265_parser_identify_nalu_hevc (GstH265Parser * parser, + + memset (nalu, 0, sizeof (*nalu)); + ++ /* Would overflow guint below otherwise: the callers needs to ensure that ++ * this never happens */ ++ if (offset > G_MAXUINT32 - nal_length_size) { ++ GST_WARNING ("offset + nal_length_size overflow"); ++ nalu->size = 0; ++ return GST_H265_PARSER_BROKEN_DATA; ++ } ++ + if (size < offset + nal_length_size) { + GST_DEBUG ("Can't parse, buffer has too small size %" G_GSIZE_FORMAT + ", offset %u", size, offset); +@@ -1545,7 +1553,13 @@ gst_h265_parser_identify_nalu_hevc (GstH265Parser * parser, + nalu->sc_offset = offset; + nalu->offset = offset + nal_length_size; + +- if (size < nalu->size + nal_length_size) { ++ if (nalu->size > G_MAXUINT32 - nal_length_size) { ++ GST_WARNING ("NALU size + nal_length_size overflow"); ++ nalu->size = 0; ++ return GST_H265_PARSER_BROKEN_DATA; ++ } ++ ++ if (size < (gsize) nalu->size + nal_length_size) { + nalu->size = 0; + + return GST_H265_PARSER_NO_NAL_END; +diff --git a/tests/check/libs/h264parser.c b/tests/check/libs/h264parser.c +index c7c46d9a2..d322dd8db 100644 +--- a/tests/check/libs/h264parser.c ++++ b/tests/check/libs/h264parser.c +@@ -229,6 +229,65 @@ GST_START_TEST (test_h264_parse_slice_5bytes) + + GST_END_TEST; + ++GST_START_TEST (test_h264_parse_identify_nalu_avc) ++{ ++ GstH264ParserResult res; ++ GstH264NalUnit nalu; ++ GstH264NalParser *const parser = gst_h264_nal_parser_new (); ++ /* Skip 3 bytes for the start code */ ++ const gsize nal_size = sizeof (slice_dpa) - 3; ++ const gsize buf_size = 4 + nal_size; ++ guint8 *buf = g_new (guint8, buf_size); ++ ++ memcpy (buf + 4, slice_dpa + 3, nal_size); ++ ++ GST_WRITE_UINT16_BE (buf + 2, nal_size); ++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 2, buf_size, 2, &nalu); ++ ++ assert_equals_int (res, GST_H264_PARSER_OK); ++ assert_equals_int (nalu.type, GST_H264_NAL_SLICE_DPA); ++ assert_equals_int (nalu.offset, 4); ++ assert_equals_int (nalu.size, nal_size); ++ ++ GST_WRITE_UINT32_BE (buf, nal_size); ++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H264_PARSER_OK); ++ assert_equals_int (nalu.type, GST_H264_NAL_SLICE_DPA); ++ assert_equals_int (nalu.offset, 4); ++ assert_equals_int (nalu.size, nal_size); ++ ++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32); ++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA); ++ ++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 2); ++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA); ++ ++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 3); ++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA); ++ ++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 4); ++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H264_PARSER_NO_NAL_END); ++ ++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 6); ++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H264_PARSER_NO_NAL_END); ++ ++ g_free (buf); ++ gst_h264_nal_parser_free (parser); ++} ++ ++GST_END_TEST; ++ + static guint8 nalu_sps_with_vui[] = { + 0x00, 0x00, 0x00, 0x01, 0x67, 0x64, 0x00, 0x28, + 0xac, 0xd9, 0x40, 0x78, 0x04, 0x4f, 0xde, 0x03, +@@ -666,6 +725,7 @@ h264parser_suite (void) + tcase_add_test (tc_chain, test_h264_parse_slice_dpa); + tcase_add_test (tc_chain, test_h264_parse_slice_eoseq_slice); + tcase_add_test (tc_chain, test_h264_parse_slice_5bytes); ++ tcase_add_test (tc_chain, test_h264_parse_identify_nalu_avc); + tcase_add_test (tc_chain, test_h264_parse_invalid_sei); + tcase_add_test (tc_chain, test_h264_create_sei); + +diff --git a/tests/check/libs/h265parser.c b/tests/check/libs/h265parser.c +index 0a0e4db97..5b6a215ec 100644 +--- a/tests/check/libs/h265parser.c ++++ b/tests/check/libs/h265parser.c +@@ -255,6 +255,65 @@ GST_START_TEST (test_h265_parse_slice_6bytes) + + GST_END_TEST; + ++GST_START_TEST (test_h265_parse_identify_nalu_hevc) ++{ ++ GstH265ParserResult res; ++ GstH265NalUnit nalu; ++ GstH265Parser *parser = gst_h265_parser_new (); ++ /* Skip 4 bytes for the start code */ ++ const gsize nal_size = sizeof (slice_eos_slice_eob) - 4; ++ const gsize buf_size = 4 + nal_size; ++ guint8 *buf = g_new (guint8, buf_size); ++ ++ memcpy (buf + 4, slice_eos_slice_eob + 4, nal_size); ++ ++ GST_WRITE_UINT16_BE (buf + 2, nal_size); ++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 2, buf_size, 2, &nalu); ++ ++ assert_equals_int (res, GST_H265_PARSER_OK); ++ assert_equals_int (nalu.type, GST_H265_NAL_SLICE_IDR_W_RADL); ++ assert_equals_int (nalu.offset, 4); ++ assert_equals_int (nalu.size, nal_size); ++ ++ GST_WRITE_UINT32_BE (buf, nal_size); ++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H265_PARSER_OK); ++ assert_equals_int (nalu.type, GST_H265_NAL_SLICE_IDR_W_RADL); ++ assert_equals_int (nalu.offset, 4); ++ assert_equals_int (nalu.size, nal_size); ++ ++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32); ++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA); ++ ++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 2); ++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA); ++ ++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 3); ++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA); ++ ++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 4); ++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H265_PARSER_NO_NAL_END); ++ ++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 6); ++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H265_PARSER_NO_NAL_END); ++ ++ g_free (buf); ++ gst_h265_parser_free (parser); ++} ++ ++GST_END_TEST; ++ + GST_START_TEST (test_h265_base_profiles) + { + GstH265ProfileTierLevel ptl; +@@ -1101,6 +1160,7 @@ h265parser_suite (void) + tcase_add_test (tc_chain, test_h265_parse_slice_eos_slice_eob); + tcase_add_test (tc_chain, test_h265_parse_pic_timing); + tcase_add_test (tc_chain, test_h265_parse_slice_6bytes); ++ tcase_add_test (tc_chain, test_h265_parse_identify_nalu_hevc); + tcase_add_test (tc_chain, test_h265_base_profiles); + tcase_add_test (tc_chain, test_h265_base_profiles_compat); + tcase_add_test (tc_chain, test_h265_format_range_profiles_exact_match); +-- +2.31.1 +

[bug#48000,3/5] gnu: gst-plugins-bad: Fix an overflow when processing video files.

Checks

Commit Message

Patch